What's essential when connecting passkeys to existing auth?

When integrating passkeys into your existing authentication and MFA systems, it's crucial to ensure compatibility and a seamless user experience. Below are the key considerations to guide your integration process:

Passkey integration requires updating user interfaces to support passkey creation, authentication, and management.

• Standalone Passkey Authentication: Use passkeys as a single login method, replacing traditional methods like passwords and SMS OTPs.
• Passkey as a Second Factor: Incorporate passkeys into existing MFA workflows, ensuring compatibility with current token generation and verification processes. This can be quite complex if you have different user states (e.g. dormant, blocked, deactivated, locked) and different existing MFA methods in place (e.g. SMS OTP, TOTP via authenticator apps, push notifications, email OTP).

• Credential Storage: Safeguard users' public keys, credential IDs, and metadata with an optimized database schema. It's also recommended to additional device, user, passkey and meta data to improve and customize the user experience and not let the user run into deadlocks.
• WebAuthn Server: Choose a compatible library (e.g., SimpleWebAuthn, fido2-net-lib) for challenge generation and verification. Configure options like authenticator selection and user verification policies. If you work in an enterprise setting, a simple WebAuthn server is probably on 10% of the solution you need, as there are many enterprise-grade features (e.g. login observability, analytics & tracking, gradual rollout, fraud detection, scalability) that you either need to build yourself or get from an enterprise passkey platform (like Corbado Connect).

• Fallback Options: Provide alternative methods like OTPs for users unable to use passkeys - be it they don't want to opt into passkeys or have devices which are not passkey-ready
• Cross-Platform Compatibility: Test extensively across browsers, devices, and operating systems to ensure a consistent experience. This is important as there are many different edge cases on particular operating system versions that you often only see in production when users of these operating system and browser version try to interact with your system. It should be thoroughly tested to avoid the worst case scenario: breaking the login and locking users out.

• Encryption Standards: Encrypt stored credentials and manage data securely.
• Regulatory Adherence: Ensure compliance with regulations like GDPR or SOC (and other industry-relevant regulations such as Essential Eight).

By addressing these considerations, you can successfully integrate passkeys into your authentication and MFA systems, enhancing both security and user convenience.